So we have sniffers that can show the packets that are being sent across a wired or wireless (802.11) network. I am just performing a basic research on GSM Sniffers and I would like to know if there are tools available for monitoring the space for specific frequency ranges and capturing data..

2 Answers
2

The hardware tool that is suited to his is the Universal Software Radio Peripheral (vendor site). You can get a leg up on decoding the transmissions by looking at the work done for the OpenBTS system. So, hardware-wise it's commodity equipment, though a few thousand dollars because it's not very common. Software wise, the groundwork is already there to pull from.

Cellular data is typically encrypted between handset and tower, and so far most attacks against that have ben active. Thus, complexity of sniffing usable data may be relatively high / a research project.

i believe it was 2008's DEFCON that had some discussions about this. Also, something to note is that handsets will jump to the strongest signal, which may be an unencrypted network. The standard dictates that there should be a pop-up letting the user know that they are no longer encrypted, but many retailers will disable that to avoid support calls. (this is just my understanding from the DEFCON talk, please correct me if I'm wrong)
–
OrmisAug 8 '11 at 18:58

2

I was in the room for that talk... I believe it was DEFCON 18 (last year). That required an active MITM attack rather than eavesdropping. Much like breaking SSL vs. stripping SSL away, the easier one is the active attack in this case.
–
Jeff Ferland♦Aug 8 '11 at 19:15

The most commonly deployed 2G (GPRS/EDGE) ciphers have now been publicly broken, and the evidence indicates that they were once again intentionally left weak by the mobile industry designers. See this news coverage:

They also noted that some carriers don't even encrypt the data (i.e. using GEA/0) in order to detect the use of traffic or protocols they don't like, e.g. Skype.

GEA/3 seems to remain relatively hard to break and is said to be in use on some more modern networks. If used with USIM to prevent connections to fake base stations and downgrade attacks, users will be protected in the medium term, though migration to 128-bit GEA/4 is still recommended.

But GEA/0, GEA/1 and GEA/2 are widely deployed. So applications should use SSL/TLS for sensitive data, as they would on wifi networks.